OpenStack介绍:

OpenStack是一个由NASA(美国国家航空航天局)和Rackspace合作研发并发起的,以Apache许可证授权的自由软件和开放源代码项目。

OpenStack是一个开源的云计算管理平台项目,由几个主要的组件组合起来完成具体工作。OpenStack支持几乎所有类型的云环境,项目目标是提供实施简单、可大规模扩展、丰富、标准统一的云计算管理平台。OpenStack通过各种互补的服务提供了基础设施即服务(IaaS)的解决方案,每个服务提供API以进行集成。

OpenStack是一个旨在为公共及私有云的建设与管理提供软件的开源项目。它的社区拥有超过130家企业及1350位开发者,这些机构与个人都将OpenStack作为基础设施即服务(IaaS)资源的通用前端。OpenStack项目的首要任务是简化云的部署过程并为其带来良好的可扩展性。本文希望通过提供必要的指导信息,帮助大家利用OpenStack前端来设置及管理自己的公共云或私有云。

OpenStack云计算平台,帮助服务商和企业内部实现类似于 Amazon EC2 和 S3 的云基础架构服务(Infrastructure as a Service, IaaS)。OpenStack 包含两个主要模块:Nova 和 Swift,前者是 NASA 开发的虚拟服务器部署和业务计算模块;后者是 Rackspace开发的分布式云存储模块,两者可以一起用,也可以分开单独用。OpenStack除了有 Rackspace 和 NASA 的大力支持外,还有包括 Dell、Citrix、 Cisco、 Canonical等重量级公司的贡献和支持,发展速度非常快,有取代另一个业界领先开源云平台 Eucalyptus 的态势。

OpenStack架构1:
OpenStack-liberty版Keytone服务部署(一)_第1张图片

OpenStack架构2:
OpenStack-liberty版Keytone服务部署(一)_第2张图片

OpenStack版本:
OpenStack-liberty版Keytone服务部署(一)_第3张图片

OpenStack官网:
http://www.openstack.org/

OpenStack Services:
OpenStack-liberty版Keytone服务部署(一)_第4张图片

实验架构:
环境:
操作系统:
CentOS-7-x86_64-Minimal-1611
OpenStack版本:liberty

linux-node1.smoke.com: 192.168.56.11 控制节点
OpenStack-liberty版Keytone服务部署(一)_第5张图片
linux-node2.smoke.com: 192.168.56.12 计算节点
OpenStack-liberty版Keytone服务部署(一)_第6张图片

node1:
修改主机名:注意:修改主机名,以后不能更改。

[root@localhost ~]# hostname linux-node1.smoke.com`
[root@localhost ~]# vim /etc/hostname
hostname linux-node1.smoke.com

网卡配置:

[root@linux-node1 ~]# ifconfig 
ens33: flags=4163  mtu 1500
        inet 192.168.56.11  netmask 255.255.255.0  broadcast 192.168.56.255
        inet6 fe80::20c:29ff:fe81:308f  prefixlen 64  scopeid 0x20
        ether 00:0c:29:81:30:8f  txqueuelen 1000  (Ethernet)
        RX packets 1198  bytes 105479 (103.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1079  bytes 228271 (222.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens37: flags=4163  mtu 1500
        inet 192.168.47.136  netmask 255.255.255.0  broadcast 192.168.47.255
        inet6 fe80::20c:29ff:fe81:3099  prefixlen 64  scopeid 0x20
        ether 00:0c:29:81:30:99  txqueuelen 1000  (Ethernet)
        RX packets 20266  bytes 29152833 (27.8 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4139  bytes 258109 (252.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

添加hosts文件:

[root@linux-node1 ~]# vim /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.56.11   linux-node1 linux-node1.smoke.com
192.168.56.12   linux-node2 linux-node2.smoke.com

时间同步:会影响OpenStack正常运行。

[root@linux-node1 ~]# yum -y install chrony
[root@hostnamelinux-node1 ~]# vim /etc/chrony.conf 
[root@hostnamelinux-node1 ~]# cat << EOF > /etc/chrony.conf
server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst
stratumweight 0
driftfile /var/lib/chrony/drift
rtcsync
makestep 10 3
allow 192.168.0.0/16
bindcmdaddress 127.0.0.1
bindcmdaddress ::1
keyfile /etc/chrony.keys
commandkey 1
generatecommandkey
noclientlog
logchange 0.5
logdir /var/log/chrony
EOF
[root@linux-node1 ~]# systemctl enable chronyd.service
[root@linux-node1 ~]# systemctl start chronyd.service
[root@hostnamelinux-node1 ~]# chronyc sources
210 Number of sources = 4
MS Name/IP address         Stratum Poll Reach LastRx Last sample               
===============================================================================
^+ ntp1.flashdance.cx            2   6   313    96    +17ms[  +37ms] +/-  194ms
^? ntp5.flashdance.cx            2   6     1    38    +30ms[  +49ms] +/-  202ms
^- correo.poashosting.com        2   6    75    38    -45ms[  -25ms] +/-  249ms
^* cn.ntp.faelix.net             2   6    77    36    +25ms[  +45ms] +/-  163ms

设置时区:
[root@linux-node1 ~]# timedatectl set-timezone Asia/Shanghai

[root@linux-node1 ~]# date
2018年 09月 30日 星期日 22:33:31 CST

安装MySQL:
我这里使用vault.centos的yum源;

[root@linux-node1 ~]# vim /etc/yum.repos.d/openstack_liberty.repo 
[openstack-liberty]
name=openstack-liberty
baseurl=http://vault.centos.org/centos/7.3.1611/cloud/x86_64/openstack-liberty/
gpgcheck=0
gpgkey=http://vault.centos.org/RPM-GPG-KEY-CentOS-7
repo_gpgcheck=0
enabled=1
[root@localhost ~]# yum clean all
[root@localhost ~]# yum makecache
[root@linux-node1 ~]# yum -y install mariadb mariadb-server MySQL-python

[root@linux-node1 ~]# cp /usr/share/mariadb/my-medium.cnf /etc/my.cnf
cp:是否覆盖"/etc/my.cnf"? y
[root@linux-node1 ~]# vim /etc/my.cnf
[mysqld]
default-storage-engine = innodb
innodb_file_per_table
collation-server = utf8_general_ci
init-connect = 'SET NAMES utf8'
character-set-server = utf8
[root@linux-node1 ~]# systemctl enable mariadb.service
Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.
[root@linux-node1 ~]# systemctl start mariadb.service
[root@linux-node1 ~]# mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none): 
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] Y
New password: 
Re-enter new password: 
Password updated successfully!
Reloading privilege tables..
 ... Success!

By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] Y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] Y
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] Y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] Y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!
[root@linux-node1 ~]# mysql -uroot -psmoke520
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 11
Server version: 10.1.20-MariaDB MariaDB Server

Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
+--------------------+
3 rows in set (0.01 sec)

MariaDB [(none)]> use mysql;
Database changed
MariaDB [mysql]> show tables;
+---------------------------+
| Tables_in_mysql           |
+---------------------------+
| column_stats              |
| columns_priv              |
| db                        |
| event                     |
| func                      |
| general_log               |
| gtid_slave_pos            |
| help_category             |
| help_keyword              |
| help_relation             |
| help_topic                |
| host                      |
| index_stats               |
| innodb_index_stats        |
| innodb_table_stats        |
| plugin                    |
| proc                      |
| procs_priv                |
| proxies_priv              |
| roles_mapping             |
| servers                   |
| slow_log                  |
| table_stats               |
| tables_priv               |
| time_zone                 |
| time_zone_leap_second     |
| time_zone_name            |
| time_zone_transition      |
| time_zone_transition_type |
| user                      |
+---------------------------+
30 rows in set (0.01 sec)

MariaDB [mysql]> exit;
Bye

Keystone数据库:

[root@linux-node1 ~]# mysql -uroot -psmoke520 -e "CREATE DATABASE keystone;"
[root@linux-node1 ~]# mysql -uroot -psmoke520 -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';"
[root@linux-node1 ~]# mysql -uroot -psmoke520 -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';"

Glance数据库:

[root@linux-node1 ~]# mysql -uroot -psmoke520 -e "CREATE DATABASE glance;"
[root@linux-node1 ~]# mysql -uroot -psmoke520 -e "GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' IDENTIFIED BY 'glance';"
[root@linux-node1 ~]# mysql -uroot -psmoke520 -e "GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY 'glance';"

Nove数据库:

[root@linux-node1 ~]# mysql -uroot -psmoke520 -e "CREATE DATABASE nova;"
[root@linux-node1 ~]# mysql -uroot -psmoke520 -e "GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' IDENTIFIED BY 'nova';"
[root@linux-node1 ~]# mysql -uroot -psmoke520 -e "GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' IDENTIFIED BY 'nova';"

Neutron数据库:

[root@linux-node1 ~]# mysql -uroot -psmoke520 -e "CREATE DATABASE neutron;"
[root@linux-node1 ~]# mysql -uroot -psmoke520 -e "GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY 'neutron';"
[root@linux-node1 ~]# mysql -uroot -psmoke520 -e "GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY 'neutron';"

Cinder数据库:

[root@linux-node1 ~]# mysql -uroot -psmoke520 -e "CREATE DATABASE cinder;"
[root@linux-node1 ~]# mysql -uroot -psmoke520 -e "GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'localhost' IDENTIFIED BY 'cinder';"
[root@linux-node1 ~]# mysql -uroot -psmoke520 -e "GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'%' IDENTIFIED BY 'cinder';"
[root@linux-node1 ~]# mysql -uroot -psmoke520 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 30
Server version: 10.1.20-MariaDB MariaDB Server

Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| cinder             |
| glance             |
| information_schema |
| keystone           |
| mysql              |
| neutron            |
| nova               |
| performance_schema |
+--------------------+
8 rows in set (0.00 sec)

MariaDB [(none)]> exit;
Bye

SOA(面向服务的架构) :
面向服务架构,它可以根据需求通过网络对松散耦合的粗粒度应用组件进行分布式部署、组合和使用。服务层是SOA的基础,可以直接被应用调用,从而有效控制系统中与软件代理交互的人为依赖性。
SOA是一种粗粒度、松耦合服务架构,服务之间通过简单、精确定义接口进行通讯,不涉及底层编程接口和通讯模型。SOA可以看作是B/S模型、XML(标准通用标记语言的子集)/Web Service技术之后的自然延伸。
SOA将能够帮助软件工程师们站在一个新的高度理解企业级架构中的各种组件的开发、部署形式,它将帮助企业系统架构者以更迅速、更可靠、更具重用性架构整个业务系统。较之以往,以SOA架构的系统能够更加从容地面对业务的急剧变化。

体系结构:
松耦合的系统

基本特征:
可从企业外部访问
随时可用
粗粒度的服务接口分级
松散耦合
可重用的服务
服务接口设计管理
标准化的服务接口
支持各种消息模式
精确定义的服务契约

SOA 服务用消息进行通信,该消息通常使用XML Schema来定义(也叫做XSD, XML Schema Definition)。消费者和提供者或消费者和服务之间的通信多见于不知道提供者的环境中。服务间的通讯也可以看作企业内部处理的关键商业文档。

SOA服务通过一个扮演目录列表(directory listing)角色的登记处(Registry)来进行维护。应用程序在登记处(Registry)寻找并调用某项服务。统一描述,定义和集成(UDDI, Universal Description, Definition, and Integration)是服务登记的标准。

安装Message queue(消息队列):
OpenStack支持RabbitMQ,Qpid,ZeroMQ消息队列。
[root@linux-node1 ~]# yum -y install rabbitmq-server

如果yum无法安装,可以到官网下载最新包安装,https://github.com/rabbitmq/rabbitmq-server/releases/tag/v3.7.8

rabbitmq-server依赖Erlang:

[root@linux-node1 ~]# vim /etc/yum.repos.d/rabbitmq-erlang.repo
[rabbitmq-erlang]
name=rabbitmq-rlang
baseurl=https://dl.bintray.com/rabbitmq/rpm/erlang/20/el/7
gpgcheck=1
gpgkey=https://dl.bintray.com/rabbitmq/Keys/rabbitmq-release-signing-key.asc
repo_gpgcheck=0
enabled=1
[root@linux-node1 ~]# yum clean all
[root@linux-node1 ~]# yum makecache
[root@linux-node1 ~]# ll
总用量 9340
-rw-------. 1 root root    1245 7月  18 19:48 anaconda-ks.cfg
-rw-r--r--  1 root root 9557762 10月  1 01:08 rabbitmq-server-3.7.8-1.el7.noarch.rpm

[root@linux-node1 ~]# yum -y install rabbitmq-server-3.7.8-1.el7.noarch.rpm

[root@linux-node1 ~]# systemctl enable rabbitmq-server.service
Created symlink from /etc/systemd/system/multi-user.target.wants/rabbitmq-server.service to /usr/lib/systemd/system/rabbitmq-server.service.
[root@linux-node1 ~]# systemctl start rabbitmq-server.service

rabbitmq端口5672;

[root@linux-node1 ~]# netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:25672           0.0.0.0:*               LISTEN      83984/beam.smp      
tcp        0      0 0.0.0.0:4369            0.0.0.0:*               LISTEN      84140/epmd          
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      899/sshd            
tcp6       0      0 :::5672                 :::*                    LISTEN      83984/beam.smp      
tcp6       0      0 :::3306                 :::*                    LISTEN      11484/mysqld        
tcp6       0      0 :::4369                 :::*                    LISTEN      84140/epmd          
tcp6       0      0 :::22                   :::*                    LISTEN      899/sshd    

添加用户:

[root@linux-node1 ~]# rabbitmqctl add_user openstack openstack
Creating user "openstack" ...

授权用户:

[root@linux-node1 ~]# rabbitmqctl set_permissions openstack ".*" ".*" ".*"
Setting permissions for user "openstack" in vhost "/" ...

安装rabbitmq web插件:

[root@linux-node1 ~]# rabbitmq-plugins list
 Configured: E = explicitly enabled; e = implicitly enabled
 | Status: * = running on rabbit@linux-node1
 |/
[  ] rabbitmq_amqp1_0                  3.7.8
[  ] rabbitmq_auth_backend_cache       3.7.8
[  ] rabbitmq_auth_backend_http        3.7.8
[  ] rabbitmq_auth_backend_ldap        3.7.8
[  ] rabbitmq_auth_mechanism_ssl       3.7.8
[  ] rabbitmq_consistent_hash_exchange 3.7.8
[  ] rabbitmq_event_exchange           3.7.8
[  ] rabbitmq_federation               3.7.8
[  ] rabbitmq_federation_management    3.7.8
[  ] rabbitmq_jms_topic_exchange       3.7.8
[  ] rabbitmq_management               3.7.8
[  ] rabbitmq_management_agent         3.7.8
[  ] rabbitmq_mqtt                     3.7.8
[  ] rabbitmq_peer_discovery_aws       3.7.8
[  ] rabbitmq_peer_discovery_common    3.7.8
[  ] rabbitmq_peer_discovery_consul    3.7.8
[  ] rabbitmq_peer_discovery_etcd      3.7.8
[  ] rabbitmq_peer_discovery_k8s       3.7.8
[  ] rabbitmq_random_exchange          3.7.8
[  ] rabbitmq_recent_history_exchange  3.7.8
[  ] rabbitmq_sharding                 3.7.8
[  ] rabbitmq_shovel                   3.7.8
[  ] rabbitmq_shovel_management        3.7.8
[  ] rabbitmq_stomp                    3.7.8
[  ] rabbitmq_top                      3.7.8
[  ] rabbitmq_tracing                  3.7.8
[  ] rabbitmq_trust_store              3.7.8
[  ] rabbitmq_web_dispatch             3.7.8
[  ] rabbitmq_web_mqtt                 3.7.8
[  ] rabbitmq_web_mqtt_examples        3.7.8
[  ] rabbitmq_web_stomp                3.7.8
[  ] rabbitmq_web_stomp_examples       3.7.8

[root@linux-node1 ~]# rabbitmq-plugins enable rabbitmq_management
[root@linux-node1 ~]# systemctl restart rabbitmq-server.service

查看rabbitmq web监听端口15672:

[root@linux-node1 ~]# netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:25672           0.0.0.0:*               LISTEN      86563/beam.smp      
tcp        0      0 0.0.0.0:4369            0.0.0.0:*               LISTEN      86759/epmd          
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      899/sshd            
tcp        0      0 0.0.0.0:15672           0.0.0.0:*               LISTEN      86563/beam.smp      
tcp6       0      0 :::5672                 :::*                    LISTEN      86563/beam.smp      
tcp6       0      0 :::3306                 :::*                    LISTEN      11484/mysqld        
tcp6       0      0 :::4369                 :::*                    LISTEN      86759/epmd          
tcp6       0      0 :::22                   :::*                    LISTEN      899/sshd 

如果无法使用guest登录,设置guest用户可以远程登录;
找到{loopback_users, [<<"guest">>]},修改为{loopback_users,[guest]},

[root@linux-node1 ~]# vim /usr/lib/rabbitmq/lib/rabbitmq_server-3.7.8/ebin/rabbit.app 
{loopback_users, [guest]},

通过web登录rabbitmq:默认账号guest,密码guest;
OpenStack-liberty版Keytone服务部署(一)_第7张图片

登录成功:
OpenStack-liberty版Keytone服务部署(一)_第8张图片

设置openstack用户登录,击Admin;
OpenStack-liberty版Keytone服务部署(一)_第9张图片

点击openstack用户名--Update this user,password填写openstack,Tags输入框填写administrator(注意大小写),填写完成点击update user;
OpenStack-liberty版Keytone服务部署(一)_第10张图片

保存完成,退出该账户;
OpenStack-liberty版Keytone服务部署(一)_第11张图片

使用openstack账户,密码openstack登录;
OpenStack-liberty版Keytone服务部署(一)_第12张图片

Ksystone服务:
用户与认证:用户权限与用户行为跟踪;
服务目录:提供一个服务目录,包括所有服务项与相关Api的端点
OpenStack-liberty版Keytone服务部署(一)_第13张图片

Glance镜像服务:
用户认证:
User:用户
Tenant:租户 项目
Token:令牌
Role:角色

服务目录:
Service:服务
Endpoint:端点

安装Keystone:
[root@linux-node1 ~]# yum -y install -y openstack-keystone httpd mod_wsgi memcached python-memcached

生成随机码:

[root@linux-node1 ~]# openssl rand -hex 10
326ee23c014a46562fd5
[root@linux-node1 ~]# vim /etc/keystone/keystone.conf 
[DEFAULT]
admin_token = 326ee23c014a46562fd5
[database]
connection = mysql://keystone:[email protected]/keystone

同步数据库:
[root@linux-node1 ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
同步后会生成keystone.log文件;

[root@linux-node1 ~]# cd /var/log/keystone/
[root@linux-node1 keystone]# ls
keystone.log
[root@linux-node1 keystone]# ll
总用量 8
-rw-r--r--. 1 keystone keystone 7064 10月  4 22:12 keystone.log
[root@linux-node1 ~]# mysql -ukeystone -pkeystone -h192.168.56.11
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 56
Server version: 10.1.20-MariaDB MariaDB Server

Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| keystone           |
+--------------------+
2 rows in set (0.00 sec)

MariaDB [(none)]> use keystone
Database changed
MariaDB [keystone]> show tables;
+-----------------------------+
| Tables_in_keystone          |
+-----------------------------+
| access_token                |
| application_credential      |
| application_credential_role |
| assignment                  |
| config_register             |
| consumer                    |
| credential                  |
| endpoint                    |
| endpoint_group              |
| federated_user              |
| federation_protocol         |
| group                       |
| id_mapping                  |
| identity_provider           |
| idp_remote_ids              |
| implied_role                |
| limit                       |
| local_user                  |
| mapping                     |
| migrate_version             |
| nonlocal_user               |
| password                    |
| policy                      |
| policy_association          |
| project                     |
| project_endpoint            |
| project_endpoint_group      |
| project_tag                 |
| region                      |
| registered_limit            |
| request_token               |
| revocation_event            |
| role                        |
| sensitive_config            |
| service                     |
| service_provider            |
| system_assignment           |
| token                       |
| trust                       |
| trust_role                  |
| user                        |
| user_group_membership       |
| user_option                 |
| whitelisted_config          |
+-----------------------------+
44 rows in set (0.00 sec)

MariaDB [keystone]> exit;
Bye
[root@linux-node1 keystone]# cd /etc/keystone/
[root@linux-node1 keystone]# ls
default_catalog.templates  keystone.conf  keystone-paste.ini  logging.conf  policy.json  sso_callback_template.html
[root@linux-node1 keystone]# vim keystone.conf 
[memcache]
servers = 192.168.56.11:11211
[token]
provider = uuid
driver = memcache
[revoke]
driver = sql
[root@linux-node1 keystone]# grep '^[a-z]' keystone.conf 
admin_token = 326ee23c014a46562fd5
connection = mysql://keystone:[email protected]/keystone
servers = 192.168.56.11:11211
driver = sql
provider = uuid
driver = memcache

开启debug开关:

[root@linux-node1 keystone]# vim keystone.conf 
[DEFAULT]
verbose = true

启动memcache:

[root@hostnamelinux-node1 ~]# vim /etc/sysconfig/memcached 
PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="64"
OPTIONS="-l 0.0.0.0,::1"
[root@hostnamelinux-node1 ~]# systemctl enable memcached.service
Created symlink from /etc/systemd/system/multi-user.target.wants/memcached.service to /usr/lib/systemd/system/memcached.service.
[root@linux-node1 ~]# systemctl start memcached.service

配置apache:

[root@linux-node1 ~]# vim /etc/httpd/conf.d/wsgi-keystone.conf
Listen 5000
Listen 35357


    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    = 2.4>
      ErrorLogFormat "%{cu}t %M"
    
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    
        = 2.4>
            Require all granted
        
        
            Order allow,deny
            Allow from all
        
    



    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    = 2.4>
      ErrorLogFormat "%{cu}t %M"
    
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    
        = 2.4>
            Require all granted
        
        
            Order allow,deny
            Allow from all
        
    

可以直接复制keystone目录的配置文件进行修改或建立软连接,需要修改日志存放目录,默认目录不存在;
[root@linux-node1 ~]# cp /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/

[root@linux-node1 ~]# vim /etc/httpd/conf/httpd.conf 
ServerName 192.168.56.11:80

启动apache:

[root@linux-node1 ~]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@linux-node1 ~]# systemctl start httpd
[root@linux-node1 ~]# netstat -tnlp | grep httpd
tcp6       0      0 :::35357                :::*                    LISTEN      120896/httpd        
tcp6       0      0 :::5000                 :::*                    LISTEN      120896/httpd        
tcp6       0      0 :::80                   :::*                    LISTEN      120896/httpd 

设置Keystone环境变量:

[root@linux-node1 ~]# export OS_TOKEN=326ee23c014a46562fd5
[root@linux-node1 ~]# export OS_URL=http://192.168.56.11:35357/v3
[root@linux-node1 ~]# export OS_IDENTITY_API_VERSION=3

创建域:
如果没有openstack命令安装python-openstackclient;
[root@linux-node1 ~]# yum -y install python-openstackclient

如果没有默认域可以创建;

[root@linux-node1 ~]# openstack domain create --description "Default Domain" default
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description |Default Domain            |
| enabled     | True                             |
| id          | 1be6f6eb0b494adea06365ddfb4ce4b2 |
| name        | default                          |
| tags        | []                               |
+-------------+----------------------------------+

创建admin项目:

[root@linux-node1 ~]#  openstack project create --domain default --description "Admin Project" admin
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Admin Project                    |
| domain_id   | default                          |
| enabled     | True                             |
| id          | 1e5c1cd4e97b4f1f92c538a57ed91557 |
| is_domain   | False                            |
| name        | admin                            |
| parent_id   | None                             |
+-------------+----------------------------------+

创建admin用户,密码admin;

[root@linux-node1 ~]# openstack user create --domain default --password-prompt admin
User Password:
Repeat User Password:
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | default                          |
| enabled   | True                             |
| id        | bd25f4a413df434c88f97c931ffb21e9 |
| name      | admin                            |
+-----------+----------------------------------+

创建admin角色:

[root@linux-node1 ~]# openstack role create admin
+-------+----------------------------------+
| Field | Value                            |
+-------+----------------------------------+
| id    | 64d8d757670044cc871223af98d0656e |
| name  | admin                            |
+-------+----------------------------------+

把admin用户加入admin项目赋予admin角色;
[root@linux-node1 ~]# openstack role add --project admin --user admin admin

创建demo项目:

[root@linux-node1 ~]#  openstack project create --domain default --description "Demo Project" demo
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Demo Project                     |
| domain_id   | default                          |
| enabled     | True                             |
| id          | 761cc6bb683d42c08dbbc7302ed1eb53 |
| is_domain   | False                            |
| name        | demo                             |
| parent_id   | None                             |
+-------------+----------------------------------+

创建demo密码:

[root@linux-node1 ~]# openstack user create --domain default --password=demo demo
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | default                          |
| enabled   | True                             |
| id        | 7f35d8886a6940b09e0d5d04ca0436f2 |
| name      | demo                             |
+-----------+----------------------------------+

创建角色:

[root@linux-node1 ~]# openstack role create user
+-------+----------------------------------+
| Field | Value                            |
+-------+----------------------------------+
| id    | ea155cd2a72b4e4cb18c3da6edadd20d |
| name  | user                             |
+-------+----------------------------------+

把demo用户加入demo项目,赋予user角色;
[root@linux-node1 ~]# openstack role add --project demo --user demo user

创建service项目:

[root@linux-node1 ~]# openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Service Project                  |
| domain_id   | default                          |
| enabled     | True                             |
| id          | 20c603699825493c9fff2d07095573ac |
| is_domain   | False                            |
| name        | service                          |
| parent_id   | None                             |
+-------------+----------------------------------+

验证创建项目、角色、用户;

[root@linux-node1 ~]# openstack user list
+----------------------------------+-------+
| ID                               | Name  |
+----------------------------------+-------+
| 7f35d8886a6940b09e0d5d04ca0436f2 | demo  |
| bd25f4a413df434c88f97c931ffb21e9 | admin |
+----------------------------------+-------+
[root@linux-node1 ~]# openstack role list
+----------------------------------+-------+
| ID                               | Name  |
+----------------------------------+-------+
| 64d8d757670044cc871223af98d0656e | admin |
| ea155cd2a72b4e4cb18c3da6edadd20d | user  |
+----------------------------------+-------+
[root@linux-node1 ~]# openstack project list
+----------------------------------+---------+
| ID                               | Name    |
+----------------------------------+---------+
| 1e5c1cd4e97b4f1f92c538a57ed91557 | admin   |
| 20c603699825493c9fff2d07095573ac | service |
| 761cc6bb683d42c08dbbc7302ed1eb53 | demo    |
+----------------------------------+---------+
[root@linux-node1 ~]# openstack role assignment list 
+----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+
| Role                             | User                             | Group | Project                          | Domain | Inherited |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+
| ea155cd2a72b4e4cb18c3da6edadd20d | 7f35d8886a6940b09e0d5d04ca0436f2 |       | 761cc6bb683d42c08dbbc7302ed1eb53 |        | False     |
| 64d8d757670044cc871223af98d0656e | bd25f4a413df434c88f97c931ffb21e9 |       | 1e5c1cd4e97b4f1f92c538a57ed91557 |        | False     |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+

创建服务:

[root@linux-node1 ~]# openstack service create --name keystone --description "OpenStack Identity" identity
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | OpenStack Identity               |
| enabled     | True                             |
| id          | 01bfde7d5be74da9a96aecd2d9cf12eb |
| name        | keystone                         |
| type        | identity                         |
+-------------+----------------------------------+

注册endpoint:
公网:

[root@linux-node1 ~]# openstack endpoint create --region RegionOne identity public http://192.168.56.11:5000/v2.0
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | c4b600ce1bf04ac09dd27f7c4e63f336 |
| interface    | public                           |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 01bfde7d5be74da9a96aecd2d9cf12eb |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://192.168.56.11:5000/v2.0   |
+--------------+----------------------------------+

私网:

[root@linux-node1 ~]# openstack endpoint create --region RegionOne identity internal http://192.168.56.11:5000/v2.0
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | ee8c996fbaf3466c9221ebdc78eea3f0 |
| interface    | internal                         |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 01bfde7d5be74da9a96aecd2d9cf12eb |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://192.168.56.11:5000/v2.0   |
+--------------+----------------------------------+

管理:

[root@linux-node1 ~]# openstack endpoint create --region RegionOne identity admin http://192.168.56.11:35357/v2.0
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 9f38851343004386a1103ad1df4c8624 |
| interface    | admin                            |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 01bfde7d5be74da9a96aecd2d9cf12eb |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://192.168.56.11:35357/v2.0  |
+--------------+----------------------------------+
[root@linux-node1 ~]# openstack endpoint list
+----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------------+
| ID                               | Region    | Service Name | Service Type | Enabled | Interface | URL                             |
+----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------------+
| 9f38851343004386a1103ad1df4c8624 | RegionOne | keystone     | identity     | True    | admin     | http://192.168.56.11:35357/v2.0 |
| c4b600ce1bf04ac09dd27f7c4e63f336 | RegionOne | keystone     | identity     | True    | public    | http://192.168.56.11:5000/v2.0  |
| ee8c996fbaf3466c9221ebdc78eea3f0 | RegionOne | keystone     | identity     | True    | internal  | http://192.168.56.11:5000/v2.0  |
+----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------------+

清除掉环境变量:

[root@linux-node1 ~]# unset OS_TOKEN
[root@linux-node1 ~]# unset OS_URL

请求token:

[root@linux-node1 ~]# openstack --os-auth-url http://192.168.56.11:35357/v3 \
--os-project-domain-id default --os-user-domain-id default \
--os-project-name admin --os-username admin --os-auth-type password \
token issue
Password: 
+------------+----------------------------------+
| Field      | Value                            |
+------------+----------------------------------+
| expires    | 2018-10-07T08:30:51.014173Z      |
| id         | 5057f8f5b6c74f73a915fbfb74dffceb |
| project_id | d7064a9e91934300b28cccc787161fdb |
| user_id    | f8f1891482e54cb583e6b2564f2d14fb |
+------------+----------------------------------+

配置keystone环境变量:

[root@linux-node1 ~]# vim admin-openrc.sh
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://192.168.56.11:35357/v3
export OS_IDENTITY_API_VERSION=3
[root@linux-node1 ~]# vim demo-openrc.sh
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=demo
export OS_TENANT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://192.168.56.11:5000/v3
export OS_IDENTITY_API_VERSION=3
[root@linux-node1 ~]# chmod +x admin-openrc.sh 
[root@linux-node1 ~]# chmod +x demo-openrc.sh 

[root@hostnamelinux-node1 ~]# source admin-openrc.sh

[root@linux-node1 ~]# openstack token issue
+------------+----------------------------------+
| Field      | Value                            |
+------------+----------------------------------+
| expires    | 2018-10-07T09:21:56.873147Z      |
| id         | da4ac1bf112446dca1d81127493d912e |
| project_id | d7064a9e91934300b28cccc787161fdb |
| user_id    | f8f1891482e54cb583e6b2564f2d14fb |
+------------+----------------------------------+